Mobile employee IDs getting closer to reality

Last updated: 10 May 2013

Do you work from your mobile device?  It’s true that with mobile devices becoming ubiquitous and Bring-Your-Own-Device (BYOD) a trend that is here to stay, corporate and government employees are increasingly eager to use their mobile devices to stay productive at work and on the road.  This doesn’t come without its issues – mobile devices and applications, unfortunately, are often lacking in strong security features.  How can we let employees work efficiently from their mobile devices without compromising security?

Today, Personal Identity Verification (PIV) and PIV-Interoperable (PIV-I) credentials allow federal, state and local governments and enterprises to provide trust and security for employees accessing physical buildings and IT systems and networks.  The latest PIV Cards offer one-time-password support along with PIV authentication, providing customers with a choice of technology from a single device. What if there was a way to take these proven, widely-used credentials and put them directly in a mobile device?

It’s a good idea, but one of the issues with putting PIV credentials in a mobile handset is the nature of the mobile device market.  Because handsets and operating systems are continually updated and consumers want to have the latest and best technology, people in the U.S. actually upgrade their mobile devices more often than any others in the world (every two years or so).  Due to this, it doesn’t make sense to put a PIV credential, with lengthy cryptographic certifications required by the U.S. Government, directly in a mobile device’s hardware platform that will only be used for a short period of time.

What makes more sense, and would be more cost effective, is to place PIV and PIV-I credentials in the secure UICC (a next-generation SIM card) which are inserted inside of the various devices. The UICC is removable and can be provisioned remotely over-the-air, making it a much more stable choice for a mobile PIV credential.  This way, a government employee’s PIV credential could simply move with him from handset to handset.

Possibly the biggest benefit would be to enable employees to use their mobile device as securely as they use a laptop or PC, creating a secure BYOD environment.  A mobile phone that is loaded with PIV or PIV-I credentials in the UICC can be used securely to do things like:

  • Send signed e-mail messages
  • Decrypt e-mail messages
  • Secure web access to remote services
  • Encrypt/decrypt files at rest
  • Access a VPN
  • Sign documents digitally

There are a few things that need to happen for mobile PIV credentials to become a reality.  The first is to work out the technical considerations and how all of the players through the mobile platform chain can work together.  The second is policy considerations, which is why the GSMA will soon be working on an international standard to define and create specifications for mobile identity.